Who’s Responsible For Security?

Experts at the Table, part 2: Cheap components contaminating the supply chain, the need for platforms and certifications, and the futility of trying to future-proof devices.


Semiconductor Engineering sat down to discuss security issues and how to fix them with Mark Schaeffer, senior product marketing manager for secure solutions at Renesas Electronics; Haydn Povey, CTO of Secure Thingz; Marc Canel, vice president of security systems and technologies at Arm; Richard Hayton, CTO of Trustonic; Anders Holmberg, director of corporate development at IAR Systems. What follows are excerpts of that conversation. To view part one, click here.

L-R: Anders Holmberg, Marc Canel, Mark Schaeffer, Haydn Povey, Richard Hayton. Photo credit: Brian Bailey

SE: A lot of IoT companies are very small, and when they’re creating a product it might be with 5 or 10 people. They don’t necessarily have the budgets for adding security, but those devices are connected to other devices. How do we handle that?

Hayton: There are two different ways of looking at security. The (Mirai) botnet attack is very interesting because the people who make baby monitors or other devices don’t really care about security after they’ve sold their device and made their money. And frankly, you can’t expect the rest of the world to be good and not attack you. Even if you have the best regulations in the world, there will still be people who don’t follow them. The most popular home gateways are the least secure, and it’s always been like that.

Schaeffer: That’s why a platform approach to security is a good idea. If you have a platform that deals with connecting to the Internet, and you have a secure boot manager, that helps your brand. You want to get people to the point where they have to use a platform that is a known quantity, especially if it has a UL-type of stamp for security. You can’t sell a toaster without a UL stamp. Will we get to that point in security.

Hayton: You might get to that with a home gateway provided by your Internet service provider. Today they have a firewall to protect bad guys from attacking things in your house, and that also can be reversed to protect the Internet from all the bad things in your house.

Povey: There will never been enough security engineers in the world. We have to enable everyone to leverage best practices far more easily and quickly by adding efficiency through an organization. We need that at the chip level. That includes proper root of trust that is measurable, constrainable, and certifiable. We have to have the right secure boot processes, and low-level drivers have to be there. The tools have to encompass security and enable people to develop secure devices easily, quickly and intelligently. And then we need to manufacture it securely. So security has to operate throughout the supply chain of trust. And we have to have certification methodologies and conformance behind that.

Canel: If you go back to the initial question about who is responsible for security, it’s actually everyone across the supply chain. So yes, the service provider has a responsibility. But it’s also the device manufacturer, the various technology suppliers, and the people in charge of the manufacturing systems. Sometimes we forget, as we develop solutions, to make them easy to integrate. We forget basic principles of good design through layers. We forget the concept of peer reviews and try to find niches. In the case of security, it’s very important to have system architectures and system business models that people can rely upon. And technology companies have to promote good practices, including ecosystems that make it easy for device manufacturers to pull things together. You can’t expect a device manufacturer to understand the millions of lines of code that go with their product when they are finished integrating everything together. It’s not possible. All the parties in that supply chain have a responsibility downward in the supply chain and upward in the value chain.

Holmberg: Sooner or later we will be forced to certify technologies and products if they are connected to the Internet.

SE: So where is the motivation in the value chain?

Povey: That’s a big problem. How do you incentivize people for security? When the device is already out in the market, the attitude is, ‘Who cares?’ You’re not going to change that. But what you can do is focus on the part of security that people in the value chain care about. From an OEM perspective, we found out they care about IP theft, people overproducing, gray market trading and cloning. So while people in the supply chain may not have skin in the game once the device is out there, if they’re putting security in for their own selfish needs, then that can be leveraged. You have to align business needs. People will always do the minimum for the best reward. But you have to identify which bits of security they care about. The top concern for people is privacy. You may not care about the European Union regulations on security, but if you’re an OEM and you’ve spent millions of dollars developing IP, you don’t want that being sold illicitly.

Hayton: A lot of these devices are running open-source software. But this kind of behavior isn’t new. If you go back to the 1800s, there was food being sold with sweepings from shop floors. We had children’s toys with sharp parts inside. The government reacted by putting standards in place. That’s probably going to happen here, as well. But it’s going to take a lot of time. It’s hard to figure out there’s a bad SSL stack in something.

Schaeffer: The big question is to what extent insurance companies will drive this forward because of product liability.

Canel: We’re going to see things move at different speeds, depending upon the markets. So you’re going to see it in automotive, for example, faster than in consumer electronics.

SE: If you look at IIoT, medical and automotive, these devices will be around for 10 or 20 years. We’re looking at security today in terms of what we know now. How do we future-proof security?

Schaeffer: There is a lot of talk about quantum computing. If you apply that to a power meter, which has a 30-year lifecycle, it’s a real challenge. You’ll need ECC and firmware updates. It’s going to vary a lot by the industry, but people are beginning to ask these questions. And sometimes it leads to paralysis, where they decide not to deploy it.

Hayton: The concern that governments have with post-quantum cryptography is that all governments are collecting data today in the hopes that tomorrow they can decode it. It’s a backward in time thing. How you address that will be very difficult. But one thing that people agree on is, ‘Don’t think you’re going to ship a device and think that you’re done.’ It needs to be updated because new threats will come along and you have to react to them.

Schaeffer: Analytics is another big focus area. If certificates have been compromised, that requires analytics to detect they were compromised, and then you need to do something about it. It’s surprising how little infrastructure there is in place to do that, so we’re probably going to see a lot more analytics.

Povey: The problem is that every system we create today already can be attacked. With sufficiently complex code in there, there will be errata. And there are nation states or ransomware purveyors with sufficient skills to utilize that. Every system we ship today can and will be compromised. It’s just a matter of time. When you look at system design today, you have to presume your system will be overwhelmed and your defenses will be lost. The question is what do you do about that. How do you identify that something has been compromised, and how do you recover and remediate your system and patch it to such a state that it’s again usable. That’s true of industrial IoT. We’ve seen that with steel mills, where they’ve been taken over. There was $50 million in damage to a steel mill in Germany. We’ve seen it in transportation. And we’ve seen it in practically every aspect of IoT. It’s the new reality. You have to have a mutable set of capabilities at the bottom of that stack, which enable you to regain control and to start the patch management, with all the complexities that encompasses.

Related Stories
Who’s Responsible For Security?
Experts at the Table, part 1: Where security is working, where it isn’t, and what to do about it.
Imperfect Silicon, Near-Perfect Security
Physically unclonable functions (PUF) seem tailor-made for IoT security.
IoT Security Risks Grow
Experts at the table, part 3: Why existing standards are insufficient; different strategies for securing connected devices; the widening impact of cost control.

Leave a Reply